boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt-installer/scripts/75-le-issue.sh

73 lines
2.2 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
ACME_WEBROOT="/var/www/letsencrypt"
install -d -m 0755 "${ACME_WEBROOT}/.well-known/acme-challenge"
# Staging optional (verbraucht kein Live-Limit)
CERTBOT_EXTRA=()
LE_STAGING="${LE_STAGING:-0}"
[[ "$LE_STAGING" = "1" ]] && CERTBOT_EXTRA+=(--test-cert)
# Einheitliche LE-Mail (Fallback)
LE_MAIL="${LE_EMAIL:-admin@${BASE_DOMAIN}}"
resolve_ok() {
local host="$1"
local pats=()
[[ -n "${SERVER_PUBLIC_IPV4:-}" ]] && pats+=("${SERVER_PUBLIC_IPV4//./\\.}")
[[ -n "${SERVER_PUBLIC_IPV6:-}" ]] && pats+=("${SERVER_PUBLIC_IPV6//:/\\:}")
[[ ${#pats[@]} -eq 0 ]] && return 0
getent ahosts "$host" | awk '{print $1}' | sort -u \
| grep -Eq "^($(IFS='|'; echo "${pats[*]}"))$"
}
probe_http() {
local host="$1"
echo test > "${ACME_WEBROOT}/.well-known/acme-challenge/_probe"
curl -fsS --max-time 5 -4 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null \
|| curl -fsS --max-time 5 -6 "http://${host}/.well-known/acme-challenge/_probe" >/dev/null
}
issue() {
local host="${1:-}"
[[ -z "$host" ]] && return 0
echo "[i] Versuche LE für ${host}"
if ! resolve_ok "$host"; then
echo "[!] DNS zeigt (noch) nicht hierher überspringe: ${host}"
return 0
fi
if ! probe_http "$host"; then
echo "[!] ACME-HTTP-Check für ${host} fehlgeschlagen (Port 80/IPv6/Firewall/Nginx prüfen)."
# wir versuchen trotzdem Certbot meldet sich, falls es scheitert
fi
EXTRA_ARGS=()
# Für MX den Key wiederverwenden → stabiler TLSA (3 1 1)
[[ "$host" == "${MAIL_HOSTNAME}" ]] && EXTRA_ARGS+=(--reuse-key)
# WICHTIG: Deploy-Wrapper anhängen, damit Symlinks/Nginx gesetzt werden
certbot certonly \
--agree-tos -m "${LE_MAIL}" --non-interactive \
--webroot -w "${ACME_WEBROOT}" -d "${host}" \
--deploy-hook /usr/local/sbin/mw-deploy.sh \
"${EXTRA_ARGS[@]}" "${CERTBOT_EXTRA[@]}" || true
}
if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
issue "${UI_HOST:-}"
issue "${WEBMAIL_HOST:-}"
issue "${MAIL_HOSTNAME:-}"
# Nginx nur neu laden, wenn aktiv
if systemctl is-active --quiet nginx; then
systemctl reload nginx || true
fi
else
echo "[i] BASE_DOMAIN=example.com LE wird übersprungen."
fi
Reference in New Issue View Git Blame Copy Permalink